An inspired writer and content manager who has been with SensorsTechForum for 4 years. Enjoys ‘Mr. Robot’ and fears ‘1984’. Focused on user privacy and malware development, she strongly believes in a world where cybersecurity plays a central role. If common sense makes no sense, she will be there to take notes. Those notes may later turn into articles!

An inspired writer and content manager who has been with SensorsTechForum for 4 years. Enjoys ‘Mr. Robot’ and fears ‘1984’. Focused on user privacy and malware development, she strongly believes in a world where cybersecurity plays a central role. If common sense makes no sense, she will be there to take notes. Those notes may later turn into articles!

An inspired writer and content manager who has been with SensorsTechForum for 4 years. Enjoys ‘Mr. Robot’ and fears ‘1984’. Focused on user privacy and malware development, she strongly believes in a world where cybersecurity plays a central role. If common sense makes no sense, she will be there to take notes. Those notes may later turn into articles!

Note! Your computer might be affected by Bucbi Ransomware and other threats.

Threats such as Bucbi Ransomware may be persistent on your system. They tend to re-appear if not fully deleted. A malware removal tool like SpyHunter will help you to remove malicious programs, saving you the time and the struggle of tracking down numerous malicious files.SpyHunter’s scanner is free but the paid version is needed to remove the malware threats. Read SpyHunter’s EULA and Privacy Policy

An inspired writer and content manager who has been with SensorsTechForum for 4 years. Enjoys ‘Mr. Robot’ and fears ‘1984’. Focused on user privacy and malware development, she strongly believes in a world where cybersecurity plays a central role. If common sense makes no sense, she will be there to take notes. Those notes may later turn into articles!

Security researchers at Palo Alto Networks disclosed that an old ransomware family – Bucbi ransomware – has been just revived after 2 years of silence. The Bucbi threat was discovered in 2014, and it hasn’t been registered active since then. Not only it has been revived but it has also been updated. Above, you see the original ransom note used by Bucbi in 2014’s attacks.

Threat Summary

Name

Bucbi Ransomware

Type

Ransomware

Short Description

Bucbi ransomware was first spotted in 2014, but has been just revived.

Bucbi Ransomware: Current Distribution

When it was first reported, Bucbi was spread via HTTP downloads and exploit kits. Now a new distribution technique has been adopted by its authors – delivery via brute-forcing RDP accounts on Internet-facing Windows servers. However, Bucbi’s code is also modified – it no longer needs Internet connection to propagate.

Who Is Behind Bucbi Ransomware?

According to the ransom notes dropped by Bucbi, it’s operated by a far-right Ukrainian nationalist political party called Ukrainian Right Sector. According to Wikipedia, Right Sector has originated in 2014 as a paramilitary confederation at the Euromaidan revolt in Kiev. The group which opposes Russia became a political party on 22 March 2014. In 2014, Right Sector claimed to have approximately 10,000 members.

As for Bucbi’s recent attacks, it’s still not known whether the information about Right Sector provided in the ransom notes is accurate or falsified. However, multiple Russian identifiers have been discovered in the latest infections, which contradict to the ransomware authors’ claims of Ukrainian origin.

Bucbi Ransomware: Technical Overview

As already mentioned, Bucbi’s latest distribution depends on brute-forcing techniques and open RDP (Remote Desktop Protocol) ports. Palo Alto researchers believe that the threat actors may have used a tool named RDP Brute (Coded by z668). This is a list of the IP addresses associated with Bucbi’s latest attacks at the end of March 2016:

184.197.69

44.191.251

117.151.236

161.40.11

101.31.126

Researchers also believe that the attackers first targeted PoS devices but later changed their tactics to monetize their malicious attempts. Palo Alto researchers have shared some of the usernames specific to PoS systems:

Some of the usernames specific to PoS systems include strings such as BPOS, FuturePoS, KahalaPoS, POS, SALES, Staff, and HelpAssistant.

In conclusion, the latest variant of Bucbi ransomware implies to have been employed by Right Sector. If this claim is truthful, this would mean that the Ukranian far-right party has entered cybercrime, possibly to fund their cause, Palo Alto researchers write. However:

Attribution of this particular attack is difficult as there simply isn’t enough evidence to conclusively determine who is behind it. Various conflicting evidence make it impossible to say for sure. However, what is clear is that attackers are shifting tactics in how ransomware is deployed, and ensuring their malware is constantly being updated to deter defenders.

Bucbi Ransomware Removal & Decryption

Bucbi’s cryptography is still being investigated. More details will be available soon. It’s known that after the encryption process is finished, a README.txt will be placed on the user’s desktop:

The BitCoin address mentioned in the above screenshot has a single payment of 0.00896 BTC at the time of writing. This payment, being so low in value, was likely a test transaction used. The email address of ‘[email protected]’ has ties with the Ukrainian Right Sector in a number of external publications […].

If you have been infected by Bucbi ransomware, consider following the steps below. However, since the threat is still being analyzed, there is no guarantee that encrypted files will be decrypted via any alternative methods.

An inspired writer and content manager who has been with SensorsTechForum for 4 years. Enjoys ‘Mr. Robot’ and fears ‘1984’. Focused on user privacy and malware development, she strongly believes in a world where cybersecurity plays a central role. If common sense makes no sense, she will be there to take notes. Those notes may later turn into articles!